`std::process`: Close all file descriptors not explicitly passed

[DemiMarie]

There are libraries, such as wlroots and GLib, that do not atomically set O_CLOEXEC on the file descriptors they create. Instead, they require any program using the library to close every file descriptor between fork() and exec(), except for an allowlist that should be passed to the child process.

GLib implements this in its GSubprocess API. Linux supports this with close_range() and many other OSs have a closefrom() syscall. Linux also has a fallback by iterating over /proc/self/fd using the async-signal-safe getdents syscall.

[comex]

On Darwin this is done with the POSIX_SPAWN_CLOEXEC_DEFAULT flag.

[programmerjake]

some notes on POSIX_SPAWN_CLOEXEC_DEFAULT: python/cpython#109154
also, apparently when adding explicitly inherited file descriptors using posix_spawn_file_actions_addinherit_np they must be less than OPEN_MAX: joyent/libuv#1483

[the8472]

Existing programs may be relying on automatic inheritance, so this would have to be opt-in. But then we would have to make it error under circumstances where the necessary calls aren't available e.g. old linux with procfs not mounted or platforms without closerange.

related: rust-lang/rust#145957